That was once true but no longer. Apps in the store can now run interpreted code from anywhere, downloaded, typed in, or bundled with the app. However, they can't implement their own app store outside of Apple's.
I'm only going to discuss interpreted code. The operating system prevents the execution of any object code that isn't signed by the App Store. The only exceptions are system processes, like JavaScript just-in-time compilation performed by WebKit.
Let me go through the changes in section 3.3.2 of the Apple Developer Program License Agreement. I'm going to skip over some things, because I can't find copies of the very earliest agreements, and I haven't read every single one since.
iPhone SDK Agreement, revised 2008-10-20:
3.3.2 An Application may not itself install or launch other executable code
by any means, including without limitation through the use of a plug-in
architecture, calling other frameworks, other APIs or otherwise.
No interpreted code may be downloaded and used in an Application except for
code that is interpreted and run by Apple's Published APIs and built-in
interpreter(s).
This bans web browsers with custom engines that run JavaScript, Flash, or Java applets, and it also keeps out alternative app stores. You can display web pages that contain JavaScript, but they have to run inside of the WebKit framework. It seems to allow bundled scripts running on a custom interpreter.
In 2009-03-17, it was changed to this:
3.3.2 An Application may not itself install or launch other executable code
by any means, including without limitation through the use of a plug-in
architecture, calling other frameworks, other APIs or otherwise.
No interpreted code may be downloaded or used in an Application except for
code that is interpreted and run by Apple's Documented APIs and built-in
interpreter(s).
Now it says “downloaded OR used”, not AND. So this is even stronger, and prevents an app from containing any amount of interpreted code. It seems to ban lots of games that run an embedded scripting engine.
The iPhone Developer Program License Agreement, revised in 2010-06-07, says:
3.3.2 An Application may not itself install or launch other executable code
by any means, including without limitation through the use of a plug-in
architecture, calling other frameworks, other APIs or otherwise.
Unless otherwise approved by Apple in writing, no interpreted code may be
downloaded or used in an Application except for code that is interpreted
and run by Apple's Documented APIs and built-in interpreter(s).
Notwithstanding the foregoing, with Apple’s prior written consent, an
Application may use embedded interpreted code in a limited way if such use
is solely for providing minor features or functionality that are consistent
with the intended and advertised purpose of the Application.
Okay, so game scripts are now legal again, with permission.
A year later, iOS Developer Program License Agreement (2011-06-06):
3.3.2 An Application may not download or install executable code.
Interpreted code may only be used in an Application if all scripts, code
and interpreters are packaged in the Application and not downloaded. The
only exception to the foregoing is scripts and code downloaded and run by
Apple's built-in WebKit framework.
So now you don't have to ask permission to use bundled scripts. Also, they mention the WebKit framework specifically. Sometime later, iOS exposed JavaScriptCore and made it possible to run downloaded scripts that aren't embedded in a web page.
On June 5th of this year, the Apple Developer Program License Agreement (which applies to both the iOS and Mac App Stores) was revised to:
3.3.2 Except as set forth in the next paragraph, an Application may not
download or install executable code. Interpreted code may be downloaded to
an Application but only so long as such code: (a) does not change the
primary purpose of the Application by providing features or functionality
that are inconsistent with the intended and advertised purpose of the
Application as submitted to the App Store, (b) does not create a store or
storefront for other code or applications, and (c) does not bypass signing,
sandbox, or other security features of the OS.
An Application that is a programming environment intended for use in
learning how to program may download and run executable code so long as the
following requirements are met: (i) no more than 80 percent of the
Application’s viewing area or screen may be taken over with executable code,
except as otherwise permitted in the Documentation, (ii) the Application
must present a reasonably conspicuous indicator to the user within the
Application to indicate that the user is in a programming environment, (iii)
the Application must not create a store or storefront for other code or
applications, and (iv) the source code provided by the Application must be
completely viewable and editable by the user (e.g., no pre-compiled
libraries or frameworks may be included with the code downloaded).
So now downloaded scripts don't have to be JavaScript and don't have to run inside of Apple's interpreter. (The second paragraph doesn't even apply to iOS, because it's not even possible to execute unsigned code.) So now Google and Mozilla can rewrite their iOS web browsers to use their own Blink and Gecko engines, instead of merely wrapping WebKit, though the system will still prevent them from doing JIT compilation. Hell, they could even support Flash if they wanted to.
It's funny, but no one has seemed to notice this except for The Register.